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Abstract 

In this paper, we study the time-bounded reachability problem for rectangu- 
lar hybrid automata with non-negative rates (RHA-°). This problem was recently 
shown to be decidable 1 5 1 (even though the unbounded reachability problem for 
even very simple classes of hybrid automata is well-known to be undecidable). 
However, 1 5 1 does not provide a precise characterisation of the complexity of the 
time-bounded reachability problem. The contribution of the present paper is three- 
fold. First, we provide a new NExpTime algorithm to solve the timed-bounded 
reachability problem on RHA-°. This algorithm improves on the one of |5| by 
at least one exponential. Second, we show that this new algorithm is optimal, by 
establishing a matching lower bound: time-bounded reachability for RHA-° is 
therefore NExpTlME-complete. Third, we extend these results in a practical di- 
rection, by showing that we can effectively compute fixpoints that characterise the 
sets of states that are reachable (resp. co-reachable) within T time units from a 
given starting state. 



1 Introduction 

Hybrid systems form a general class of systems that mix continuous and discrete be- 
haviors. Examples of hybrid systems abound in our everyday life, particularly in appli- 
cations where an (inherently discrete) computer system must interact with a continuous 
environment. The need for modeling hybrid systems is obvious, together with methods 
to analyse those systems. 

Hybrid automata are arguably among the most prominent families of models for 
hybrid systems [7 |. Syntactically, a hybrid automaton is a finite automaton (to model 
the discrete part of the system) augmented with a finite set of real-valued variables (to 
model the continuous part of the system). Those variables evolve with time elapsing, 
at a rate which is given by a flow function that depends on the current location of the 
automaton. The theory of hybrid automata has been well developed for about 20 years, 
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and tools to analyse them are readily available, see for instance Hytech (8l [9] and 
Phaver (6). 

Hybrid automata are thus a class of powerful models, yet their high expressiveness 
comes at a price, in the sense that the undecidability barrier is rapidly hit. Simple 
reachability properties are undecidable even for the restricted subclass of stopwatch 
automata, where the rate of growth of each variable stays constant in all locations and 
is restricted to either or 1 (see iflOl for a survey). 

On the other hand, a recent and successful line of research in the setting of timed 
automata has outlined the benefits of investigating timed-bounded variants of classical 
properties lfT2lfl4l . For instance, while language inclusion is, in general undecidable 
for timed automata, it becomes decidable when considering only executions of bounded 
duration 11141 . 

In a recent work Q we have investigated the decidability of time-bounded reach- 
ability for rectangular hybrid automata (i.e., is a given state reachable by an execution 
of duration at most T ? for a given T). We have shown that time-bounded reachability 
is decidable for rectangular hybrid automata with non-negative rates (RHA-°), while 
it is well-known [10| that (plain, time unbounded) reachability is not for this class. 
We have also shown that the decidability frontier is quite sharp in the sense that time- 
bounded reachability becomes undecidable once we allow either diagonal constraints 
in the guards or negative rates. 

To obtain decidability of time-bounded reachability for RHA-°, we rely, in 0, 
on a contraction operator that applies to runs, and allows to derive, from any run of 
duration at most T of an RHA-° H, an equivalent run that reaches the same state, but 
whose length (in terms of number of discrete transitions) is uniformly bounded by a 
function F of the size of H and T. Hence, deciding reachability within T time units 
reduces to exploring runs of bounded lengths only, which is feasible algorithmically 
(see for the details). However, this previous work does not contain a precise char- 
acterisation of the complexity of time-bounded reachability. Clearly, an upper bound 
on the complexity depends on the bound F on the length of the runs that need to be 
explored. 

In the present work, we revisit and extend our previous results [5) in several direc- 
tions, both from the theoretical and the practical point of view. First, we completely 
revisit the definition of the contraction operator and obtain a new operator that allows 
to derive a singly exponential upper bound on the lengths of the runs that need to be 
considered, while the operator in 1 5 1 yields an upper bound that is at least doubly expo- 
nential. Our new contraction operator thus provides us with an NExpTime algorithm 
that improves on the algorithm of |5] by at least one exponential. Second, we show 
that this new algorithm is optimal, by establishing a matching lower bound. Hence, 
time-bounded reachability for RHA-° is NEXPTlME-complete. Third, we extend those 
results towards more practical concerns, by showing that we can effectively compute 
fixpoints that characterise the set of states that are reachable (resp. co-reachable) within 
T time units, from a given state. The time needed to compute them is at most doubly 
exponential in the size of the RHA-° and the bound T. Fourth, we apply those ideas to 
two examples of RHA-° for which the classical (time-unbounded) forward and back- 
ward fixpoints do not terminate. We show that, in those examples, the sets of states that 
are time -bounded reachable is computable in practice, for values of the time bound that 
allow us to derive meaningful properties. 

This brief summary of the results outlines the structure of the paper. Remark that, 
by lack of space, some more technical proofs have been moved to the appendix. 
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2 Definitions 



Let X be the set of intervals of real numbers with endpoints in ZD {— oo, +00}. Let 
X be a set of continuous variables, and let X = {x \ x G X} be the set dotted 
variables, corresponding to variable first derivatives. A rectangular constraint over X 
is an expression of the form x 6 / where x belongs to X and I to 1. A diagonal 
constraint over X is a constraint of the form x — y ~ c where x, y belong to X, c 
to Z, and ~ is in {<,<,=,>,>}. Finite conjunctions of diagonal and rectangular 
constraints over X are called guards, over X they are called rate constraints. A guard 
or rate constraint is rectangular if all its constraints are rectangular. We denote by 
G (X) and TZ (X) respectively the sets of guards and rate constraints over X. 

Linear, rectangular and singular hybrid automata A linear hybrid automaton 
(LHA) is a tuple H = (X, Loc, Edges, Rates, Inv, Init) where X — {x\, . . . , x^ x \} 
is a finite set of continuous variables ; Loc is a finite set of locations; Edges C 
Loc x Q (X) x 2 X x Loc is a finite set of edges; Rates : Loc h-> 71 (X) assigns 
to each location a constraint on the possible variable rates; Inv : Loc i-> Q (X) as- 
signs an invariant to each location; and Init C Loc is a set of initial locations. For 
an edge e = (£, g, Y, £'), we denote by src (e) and trg (e) the location £ and £' respec- 
tively, g is called the guard of e and Y is the reset set of e. In the sequel, we denote 
by rmax and cmax the maximal constant occurring respectively in the constraints of 
{Rates(f) I £ G Loc} and of {Rates(f ) | £ G Loc} U {g | 3{£,g,Y,£') G Edges}. 

An LHA is non-negative rate if for all variables x, for all locations £, the constraint 
Ratcs(^) implies that x must be non-negative. A rectangular hybrid automaton (RHA) 
is a linear hybrid automaton in which all guards, rates, and invariants are rectangular. 
In the case of RHA, we view rate constraints as functions Rates : Loc x X — > 1 
that associate with each location £ and each variable x an interval of possible rates 
Rates(^)(x). A singular hybrid automaton (SHA) is an RHA s.t. for all locations £ 
and for all variables x: Rates(£)(x) is a singleton. We use the shorthands RHA- and 
SHA- for non-negative rates RHA and SHA respectively. 

LHA semantics A valuation of a set of variables X is a function v : X n> M. We 
denote by the valuation that assigns to each variable. 

Given an LHA T-L = (X, Loc, Edges, Rates, Inv, Init, X), a state of H is a pair 
(£, v), where £ G Loc and v is a valuation of X. The semantics of H. is defined as 
follows. Given a state s = (£, v) of H, an edge step (£, v) — > (£' , v') can occur and 
change the state to (£' ' ,v') if e = (£,g,Y,£') G Edges, v |= g, v'(x) = v(x) for all 
x £ Y, and v'(x) = for all x G Y; given a time delay t G M + , a continuous time 

step {£, v) \ (£, v') can occur and change the state to (£, v') if there exists a vector 
r = (n, . . . r| X |) such that r |= Rates(^), z/ = z/ + (r ■ t), and i/ + (r • t') |= Inv(f) 
for all < t' < t. 

Apath in His a finite sequence ei,e2, . . . , e„ of edges such that trg (e,) = src(e i+ i) 
for all 1 < i < n — 1. A timed path of H is a finite sequence of the form n = 
(ti, ei), (£2, 62), . . . , (i„, e„), such that ei, . . . , e n is a path in % and ij 6 M + for all 
< i < n. For all fc, ^, we denote by n[k : £} the maximal portion (ti, e^), (ij+i, ej+i), 
. . . ,(tj, ej) of 7r s.t. {i, i + 1, . . . , j} C [fc, (remark that the interval [fc, could be 
empty, then ir[k : £} is empty too). Given a timed path tt = (t\, e\), (t2, 62), . . . , (t n , e n ) 
of an SHA, we let Effect (n) = Rates(^_i) • ti be the effect of n (where 

£i = src (e^ for 1 < i < n). 
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A run in % is a sequence sq, (ti, ei), si, (£2, 62), • • • , (£«, e„), s„ such that: 

• (£1, e\), (£2, 62), ■ ■ ■ , (£«, e n ) is a timed path in and 

• for all < i < n, there exists a state s^ of "H with s, * +1 > s^ e ' +1 > s^+i. 

Given a run p = sq, (£1, ei), . . . , s n , let first (p) = s = (£o,Vo), last (p) = s n , 
duration (p) = Y^i=i an d I/ 9 ! = n + We sa Y tnat /° * s ^-time-bounded (for 
T e N) if duration (p) < T. Given two runs p = sq, (t\, e%), . . . , (£„, e n ), s„ 
and p' = s , (£'2, e[), . . . , (£l, e^), s' fc with s„ = s , we let p ■ p 1 denote the run 
s , (£1, ei), . . . , (£„, e„), s n , (£'1, ei), . . . , (t' k , e' k ), s' k . 

Note that a unique timed path TPath (p) — (t\, ei), (£2, 62), . . . , 
(£n, e„), is associated with each run p = so, (£1, ei), si, . . . , 
(£n, e n ),s n . Hence, we sometimes abuse notation and denote a run p with first (p) = 
so, last (p) = s and TPath (p) = tt by so s. The converse however is not true: 
given a timed path tt and an initial state sq, it could be impossible to build a run starting 
from so and following tt because some guards or invariants along tt might be violated. 
However, if such a run exists it is necessarily unique when the automaton is singular. 
In that case, we denote by Run (so, tt) the function that returns the unique run p such 
that first (p) = so and TPath (p) = tt if it exists, and _L otherwise. Remark that, when 
consider an SHA: if p = (£o, ^0) — > v-a) is a run, then for all x that is not reset 
along p: v n {x) — Vq{x) + Effect (71-) (x). 

Time-bounded reachability problem for LHA While the reachability problem asks 
whether there exists a run reaching a given goal location, we are only interested in runs 
having bounded duration. 

Problem 1 (Time-bounded reachability problem) Given an LHA % = (X, Loc, 
Edges, Rates, Inv, Init), a location Goal £ Loc and a time bound T £ N, the 
time-bounded reachability problem is to decide whether there exists a finite run p = 
(£ , 0) A (Goal, •) ofH with £ G Init and duration (p) < T. 

This problem is known to be decidable [5] for RHA-°, but its exact complexity is, 
so far, unknown. We prove in Section |4] (thanks to the results of Section [3} that it is 
NExpTlME-complete. This problem is known to become undecidable once we allow 
either diagonal constraints in the guards, or negative and positive rates to occur in the 
LHA 0. 

A more general problem that is relevant in practice, is to compute a symbolic repre- 
sentation of all the states that are reachable in at most T time units. Here, by 'symbolic 
representation' we mean a finite representation of the set of states that can be manip- 
ulated algorithmically. This problem, together with the definition of such a such a 
symbolic representation, will be addressed in Section[5] 

Let us illustrate, by means of the RHA-° H in Fig. Q] the difficulties encoun- 
tered when computing the reachable states of a RHA-°. Let us characterise the set 
Reach^ (sq) of all states of the form (£1, v) that are reachable from sq. It is easy to see 
that Reach^(so) = (0, rL)) | n 6 N }. Moreover, observe that, for all n £ N , 
(£1, (0, 55-)) is reachable from so by one and only one run, of duration (n — 1) + rL, 
and that the number of bits necessary to encode those states grows linearly with the 
length of the run. This examples shows that finding an adequate, compact and effective 
representation (such as regions in the case of Timed Automata [2 1) for the set of reach- 
able of an RHA-° is not trivial (and, in full generality, impossible because reachability 
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Figure 1 : A simple hybrid automaton. 

is undecidable for this class). Nevertheless, in Section|5] we show that, in an RHA- , 
an effective representation of the set of states that are reachable within T time units can 
be computed. 

3 Contracting runs 

In this section, we describe a contraction operator. Given an RHA H, and one of its 
timed paths ir of arbitrary length but of duration < T, the contraction operator builds 
a timed path Cnt* (71") that reaches the same state as ir, but whose size is uniformly 
bounded by a function of T, and of the size of H. This operator is central to prove 
correctness of the algorithms for time-bounded reachability in sections [4] and [5] Since 
Problem[T]is undecidable if both positive and negative rates are allowed [ 5 ] , we restrict 
our attention to RHA with non negative rates. Moreover, for the sake of clarity, all 
the results presented in this section are limited to singular hybrid automata, but they 
extend easily to RHA- as we will see later. Thus, from now one, we fix an SHA-° 
% = (X, Loc, Edges, Rates, Inv, Init). 

Self loops The first step of our construction consists in adding, on each location £ of 
H, a self-loop (£, true, 0, £). The resulting SHA-° is called W . Those self-loops al- 
low to split runs of T-C into portions of arbitrary small delays, because if %' admits a run 
of the form (£, v), (£i + t<i, e), s, it also admits the run (£, v\ (fi, e'), (£, v') 1 (£2, e), s, 
where e' is the self loop on £. Yet, this construction preserves (time-bounded) reacha- 
bility: 

Lemma 1 Every run ofH is also a run ofhC . Conversely, ifH' admits a run p' with 
first (p') = si and last (p') = S2, then % admits a run p with p with first (p) = si 
last (p) — S2, duration (p) — duration (p') and \p\ < \p'\. Moreover, for each run p 
of%', there exists a run p' = p\ ■ P2 • • • p n ofTi! s.t. n < duration (p) x rmax + 1, 
first (p) = first (p'), last (p) = last(p'), duration (p) = duration (p') and, for all 
1 < i < n: duration (pA < . 

— — Vri/ rmax 

Hybrid automaton with regions Let us describe a second construction that ap- 
plies to the syntax of the hybrid automaton, and consists, roughly speaking, in en- 
coding the integral part of the variable valuations in the locations. Let Reg (cmax) = 

({[a, a], (a— l,a) | a 6 {1, . . . , cmax}} U {0 = , + , (cmax, +oo)}) X be the set 
of regions, and further let Reg (cmax, X) denote the set of all functions r : X n> 
Reg (cmax) that assign a region to each variable. By abuse of language, we sometimes 
call regions elements of Reg (cmax, X) too. Remark that the definition of Reg (cmax, X) 
differs from the classical regions [2| by the absence of [0, 0] which is replaced by two 
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symbols: = and + , and by the fact that no information is retained about the relative 
values of the fractional parts of the variables. The difference between = and + is 
elucidated later (see Lemma [3]). When testing for membership to a region, + and 
= should be interpreted as [0, 0], i.e., v G + and v G = hold iff v = 0. Given 
a valuation v of the set of variable X, and r G Reg (cmax, X), we let v G r iff 
v{x) G r(x] for all x, and, provided that v > 0, we denote by [v] the (unique) ele- 
ment from Reg (cmax, X) s.t. v G Remark that for all sets of variable X and all 
maximal constants cmax: |Reg (cmax, X) < (2 x (cmax + Let n and T2 

be two regions in Reg (cmax, X), and let v : X n> K be a function assigning a rate 
v(x) to each variable x. Then, we say that r2 is a time successor ofr\ under v (written 
T\ <t s r 2i iff there are v\ ^r\,v% G and a time delay t s.t. v<i = v\ + t ■ v. Remark 
that, by this definition, we can have r\ <\ & r^, r\{x) = = and T2{x) = + for some 
clock x (for instance, if v(x) = 0). 

Let us now explain how we label the locations of H' by regions. We let R (H 1 ) = 
(X, hoc', Edges', Rates', Inv', Init') be the SHA^° where: 

• Loc' = Loc x Reg (cmax, X) 

• for all (£,r) G Loc': Rates'^, r) = Rates(^) 

• for all {£, r) G Loc': Inv(£, r) = Inv(f) A A x .. r(x)=0 = x = 

• There is an edge e' = ((£, r), g A x G r" A g (h Y, (£', r')) in Edges' iff there are 
an edge e = {£, g, Y, £') in Edges and a region r" s.t.: r <^ atcs ( £ ) r " ; f or a \\ 
x £ Y: r'(x) = r"(x), for all x G Y: r'{x) G {0=, 0+} and g = /\ xeX g (x) 
where: 

!x = ifr(x)=0= 
x>0 ifr(a;)=0+ (1) 
true otherwise 

in this case, we say that e is the (unique) edge of H' corresponding to e'. Sym- 
metrically, e' is the only edge corresponding to e between locations (£, r) and 

(£',/). 

• Init' = Init x {0=,0+} x 

It is easy to see that this construction incurs an exponential blow up in the number of 
locations. More precisely: 

|Loc'| < |Loc| x |Reg(cmax. X) \ 

= |Loc| x (2 x (cmax + (2) 

Let us prove that this construction preserves reachability of states: 

Lemma 2 Let s — (£. v) and s' — (£', v 1 ) be two states ofhC . Then, 7i! admits a run 
p with first (p) = s and last (p) = s' iff there are r and r' s.t. R (H r ) admits a run p' 
with first (p 1 ) = ((£, r), v), last (p 1 ) = ((£' , r'), v'), duration (p) = duration (//) and 
\P\ = \P'\- 

Intuitively, the regions that label locations in R (TL') are intended to track the region 
to which each variable belongs when entering the location. However, in the case where 
a variable x enters a location with value 0, we also need to remember whether x is 
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still null when crossing the next edge (for reasons that will be made clear later). This 
explains why we have two regions, = and + , corresponding to value 0. They encode 
respectively the fact that the variable is null (strictly positive) when leaving the location. 

Formally, we say that a run p = {(lo,r Q ),v Q ), (ti,ei), ((4, n), Vi), (t n ,e n ), 
{{£n,r n ),v n ) of R('H') is region consistent iff (i) for all < i < n: Vi G 
and (ii) for all < i < n — 1, for all x G X: ri(x) = = implies Vi{x) + 
ti + i x Rates(£i)(x) = and ri{x) = + implies Vi(x) + ti + i x Rates(£i)(x) > 0. 
Then, it is easy to see that the construction of R (H) guarantees that all runs are region 
consistent: 

Lemma 3 All runs ofR {%') are region consistent. 

The contraction operator we are about to describe preserves reachability of states 
when applied to carefully selected run portions only. Those portions are obtained by 
splitting several times a complete run into sub-runs, that we categorise in 4 different 
types. 

Type-0 and type-1 runs The notion of type-0 run relies on the fact that each T-time 
bounded run of TL' (hence of R (%')) corresponds to a run p' that can be split into at 
most T x rmax + 1 portions of duration < (see Lemma [TJ. A run p of R (H 1 ) 
is called a type-0 run iff there are po, p%, . . . , pk s.t. p = po ■ p% ■ ■ ■ Pk, and for all 
< i < k: duration (pi) < * . Then, each pi making up the type-0 run is called a 



Type-2 runs Type-1 runs are further split into type-2 runs as follows. Let p = 
sq, (ti, e±), s±, . . . , (t n , e n ), s n be a type-1 run of R (%'), s.t. duration (p) < T. Let 
S p be the set of positions < i < n s.t: 



where [a^J and (x) denote respectively the integral and fractional parts of x. Roughly 
speaking, each transition (ii,ej) with i G S p corresponds to the fact that a variable 
changes its region, except in the case where the variable moves from + to (0, 1): such 
transitions are not recorded in S p . Since p is a type-1 run, its duration is at most — —. 
Hence, each variable can cross an integer value at most once along p, because all rates 
are positive. Thus, the size of S p can be bounded, by a value that does not depend on 



Lemma 4 Let pbe a type-1 run. Then \S P \ < 3 x \X\. 

Proof. As the duration of a type-1 run is < — - — , each variable can, in the worst 

J J r rmax 

case, follow a trajectory that will be split into 4 parts. This happens when it starts in 
(b, b + 1), moves to [6+1,6+1], then (6+1,6 + 2), then gets reset and stays in [0, 1). 
□ Remark that if we had recorded in S p the indices of the transitions from (£, v) to 
(£' , v') s.t. v(x) = and v{x) G (0, 1) for some variable x, Lemma|4]would not hold, 
and we could not bound the size of S p by a value independent from \p\. Indeed, in any 
time interval, the density of time allows a variable to be reset and to reach a strictly 
positive value an arbitrary number of times. 



type-1 run. 




[vi-l(x)\ > and = (vi-i(x)) < (vi{x)) 




or 
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Let us now split a type-1 run p according to S p . Assume p = so, [t\, ei), si, . . . , 
(i„, e„), s n , and that S" p = {p(l), . . . ,p(fc)}> with p(l) < p{2) <•■• < p(k). Then, 
we let po, pi, ■ ■ ■ , Pfe be the runs s.t: 

P = PO ■ s p(l)-l, (t p (l), e p (i)), S p (i) • pi • S p (2)-1, (<p(2), e p(2)), 

s p(2), • • • , Sp(fe)-i) (ip(fc), e p (fe)), Sp(fc) • pfc (3) 

Each pi is called a type-2 run, and can be empty. The next lemma summarises the 
properties of this construction: 

Lemma 5 Let p be a type-1 run ofR {%') with duration (p) < T. Then, p is split into: 
po • p'i ■ p\ ■ p'i ■ pi ■ ■ ■ p' k ■ Pk where each pi is a type-2 run; k < 3 x \X\; \p[\ = 1 
for all 1 < i < k; and for all 1 < i < k: pi = (£q, vq), (t\, ei), . . . , (t n , e„), (£ n , v n ) 
implies that, for all x G X: 

• either there is a G N >0 s.t. for all < j < n: Vj(x) = a and x is not reset 
along p^ 

• or for all < j < n: i/j (x) G (a, a + 1) with a G N >0 and x is not reset along 

Pi; 

• or for all < j < n: Vj(x) G [0, 1). 

Remark that in the last case (i.e., x is in [0,1) along a type-2 run), the number of resets 
cannot be bounded a priori. For the sake of clarity, we summarise the construction so 
far by the following lemma: 

Lemma 6 Each type-0 run of R (H') can be decomposed into k type-2 runs with k < 
3 x (T x rmax+1) x \X\. 

Type-3 runs Finally, we obtain type-3 runs by splitting type-2 runs according to 
the first and last resets (if they exist) of each clock. Formally, let So, (ti, ei), si, . . . , 
{t n , e n ), s n be a type-2 run. Assume Yi is the reset set of e^, for all 1 < i < n. We 
let FR p = {i | x G Y t and V0 < j < i : x £ Yj} and LR p = {i \ x G Y t and V« < 
j < n : x £ Yj } be respectively the set of edge indices where a variable is reset for 
the first (last) in p. Let R p = FR p U LR p and assume R p = {p(l),p(2), . . . ,p(k)} 
with p(l) < p(2) < ■ ■ ■ < p(k). Then, we let po, pi, . . . , pk be the type 3 runs making 

up p s.t. p = po • Sp(i)-i) (*p(i)> e p(i))i s p(i) • Pi • • • s p(fc)-i, (ip(fe)> e p(fe))i s p(fe) ' Pfc- 
Remark that each type-2 is split into at most 2 x |X| + 1 type-3 runs (i.e., k < 2 x \X\). 

Contraction operator So far, we have defined a procedure that splits any time- 
bounded run of R (H) into a bounded number of type-3 runs. However, the construc- 
tion does not allow us to bound the length of type-3 runs, because the density of time 
allows to perform an arbitrary number of actions in every possible time delay. Let us 
now define a contraction operator that turns type-3 runs into runs with the same effect 
but whose lengths can be uniformly bounded (thanks to the properties of type-3 runs 
established below). 

Intuitively, the contraction operator works as follows. Let p = (£ n , vq), (t\, ei), 
(£\, v\), . . . , (t n , e n ), (£ n , Vn) be a run, and let 7r be its timed path. We contract it by 
looking for a pair of positions i < j s.t. £i = lj (i.e., n[i + 1 : j] forms a loop) and s.t. 
all locations £ i+ i,£ i+ 2 7 . . . ,£j occur in the prefix n[l : i}. This situation is depicted in 
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t 1 ,e 1 t 2 ,e 2 ^3,e 3 „ t4,e 4 „ t 5l e 5 t 6 ,e$ t 7 ,e 7 

TT = £ > i\ > £ 2 > £3 > £4 > £5 > «6 > *7 



Cnt (7r) = £ > £\ > £2 > £3 > 4 

Figure 2: Illustrating the contraction operator. Here, i = 3, j = 7, /i(4) = 2, h(5) = 
and fr(6) = 2. 



Fig. 12 (top). Then, the contraction consists, roughly speaking, in deleting the portion 
ir[i + 1 : j] from 7r, and in reporting the delays ij+i,. . . , to the other occurrences 
of £i, ... , in tt (that exist by hypothesis), see Fig. [2] (bottom). Clearly, in general, 
the resulting timed path might not yield a run as some guards could fail because of the 
additional delays. Yet, we prove (see Proposition Q} that, when carefully applied to 
type-2 runs, the contraction operator produces a genuine run with a bounded length, 
and that reaches the same state as the original run. Remark that the proof of soundness 
of the contraction operator relies on the fact that we have encoded the regions of the 
variable valuations in the locations. This information will be particularly critical when 
a variable is in [0, 1) and reset. 

The contraction operator is first defined on timed paths (we will later lift it to type- 
2 runs). Let us consider a timed path 7r = (ii, ei), (£2, 62), . . . , (t n , e n ). Let £q = 
src (ei), and, for all 1 < i < n: £i = trg (e;). Assume there are < i < j < n and 
a function h : {i + 1, . . . , j — 1} h-> {0, . . . ,i — 1} s.t. (i) = £j and (ii) for all 
i < p < j: £ p = £h( P )- Then, we let Cnt (n) — £' , (t' lt e^), . . . , l' m where: 

1. m = n — (J — i). 

2. for all <p < i: £' p = £ p . 

3. for all 1 < p < i: e' p = e p and t' p = t p + J2keh-i( P -i) t k+i- 

4. e' i+1 = e j+1 and t' i+l = t l+1 + t j+1 

5. for all i + 1 < p < m: £' p = £ p+J -i and (t' p , e' p ) = (t p+ j-i,e p+ j^i). 

Then, given a timed path tt, we let Cnt (tt) = it, Cnt' (tt) = Cnt (Cnt 1-1 (7r)) for 
any i > 1, and Cnt* (tt) = Cnt™ (tt) where n is the least value such that Cnt™ (71") = 
Cnt" +1 (tt). Clearly, since tt is finite, and since |Cnt (tt)\ < \tt\ or Cnt (tt) = tt for 
any tt, Cnt* (tt) always exists. Moreover, we can always bound the length of Cnt* (tt) 
by a value that does not depend on \tt\. 

Lemma 7 For all timed path tt: |Cnt* (tt) \ < |Loc| 2 + 1. 

Proof. Assume tt' = Cnt* (tt) = (t\, ei), (t 2 , e 2 ), ■ ■ • , 

(t n ,e n ). Let £0 — src(ei), and £i = trg(ej) for all 1 < i < n. Let Loc' = 
{Lo, . . . , L m } C Loc be the set of locations that appear in tt'. For all Li G Loc', 
let hi denote the least index s.t. = Li (i.e., the first occurrence of Li in tt'). Wlog, 
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we assume that ko < k\ < ■ ■ ■ < k m . Then, clearly, k$ = 0. Observe that each 
portion of the form 7r'[fci : fc^ + i — 1] (with < i < m — 1) is of length at most |Loc'|. 
Otherwise, the contraction operation can be applied in this portion, as there must be 
two positions ki < a < (3 < ki + i — 1 s.t. £ a = lp, and all the locations occurring 
along ir'[a : j3 — 1] have occurred before, by definition of ki and fcj+i. By the same 
arguments, \ir'[k m : n — 1] | < |Loc'| (remark that, by definition of the contraction op- 
erator, the last location £ n will never be considered for contraction). As 7r'[0 : n — 1] 
is made up of all those portions, and as there are |Loc'| portions, | -zr' | is bounded by 
|Loc'| 2 + 1 < |Loc| 2 + 1. " □ 

We can now lift the definition of the contraction operator to runs of type-2. Let p 
be a type-2 run and let us consider its (unique) decomposition into type-3 runs, as in 
(0, above. Then, we let Cnt (p) = Run (first (p) , 7Tc nt ( p )), where: 

TTCnt(p) = Cnt* (TPath (p )) , (t p(1) , e p(1) ), Cnt* (TPath (pi)) , 
{tp(2), e p (2)), ■ • ■ , (tp(fc), e p (fe)), Cnt* (TPath (p k )) 

By definition of Cnt*, and by definition of Cnt on type-2 runs, it is easy to see that: 



Lemma 8 For all type-3 runs p: duration (Cnt* (TPath (p))) = duration (p) and 
for all variables x: Effect (Cnt* (TPath (p))) (x) = Effect (TPath (p)) (x). Simi- 
larly, for all type-2 runs p: duration (jrcnt(p)) = duration (p) and for all variables x: 
Effect (7rcnt(p)) (x) = Effect (TPath (p)) (x). 

Let us show that the contraction of type-2 runs is sound: 

Proposition 1 For all type-2 runs p, Cnt (p) ^ _L, first (Cnt (p)) = first (p) and 
last (Cnt (pj) = last(p). 

Proof. Let p = (£q, vo), (ti, ei), . . . (t n , e„), (£ n , v n ). Let it denote TPath (p), and 
let 7r Cnt(p) = (t[, e[), (t' k , e' k ). For all 1 < i < k, let £' t = dest (e' t ) by £[■ and let 
£' a = src(ei) = l . 

First, observe that, by definition of the contraction operator, £ n = £' k . Let us show 
that Cnt(p) / L. Assume that, for all < i < k: £'■ — (£i,r,-) and let v[ be the 
valuation s.t. for all x: 



v 'i-i{ x ) + Rates(^_ 1 )(a;) x t\ If e- does not reset x 
Otherwise 



Finally, let v' a — vq. Remark that v' Q (x) < v[(x) < ■■■ < v' k (x) because rates are non- 
negative. Clearly, to show that p 1 ^ _L, it is sufficient to show, for all i, that v[ |= g[ 
(where g[ is the guard of e^); and that both Vi and v[ satisfjQ Inv(£i). For the sake of 
clarity, we prove that all the guards are satisfied; the arguments can be easily adapted 
to show that the invariants are satisfied too. 

First, consider a variable x that is not reset along 7r (hence along 7rc nt (p)) and s.t. 
vq{x) — v' {x) > 0. By definition of type-2 runs, and since x is not reset and not 
null initially, ^0(2;), vi(x),. . ., v n (x) all belong to the same interval / which is either 
(a — 1, a) or [a, a] for some a > 1. Thus, in particular, ^0(2;) = v' (x) G /. Moreover, 
since Effect (ncnt(p)) (x) = Effect (it) (x) (Lemma [8}, we have v' k {x) = i> n {x) £ I 
too. Hence, since v' Q (x) < v[ (x) < ■ ■ ■ < v' k {x), we conclude that v[(x) G / for all 



Remember that we consider RHA— u , so the invariants are convex. 



10 



< i < k. Since all the Vi{x) are also in /, since p is a genuine run, and since all 
edges e\ in 71"' are also present in tt, we conclude that v G 7 implies v |= c^, for all 
valuation and all guards of some edge in 7r. Hence, i/ |= <^ for all i. 

Thus, we can, from now on, safely ignore all variables x that are not reset along it 
(hence along 7Tc n t(p)) an d s -t- vo(%) = ^ol 3 -) > 0> an d f° cus on variables a; that are ei- 
ther reset along ir or s.t. it) (a;) = v' {x) = 0. By definition of type-2 runs, in both cases, 
these variables take values in [0,1) in each state along p. Hence, since p is region con- 
sistent (LemmaO, all locations in p are of the form (£, r) with r(x) G {0 = , + , (0, 1)}, 
and so are all locations in nc n t(p)'- f° r all < i < fc: G {0 = , + , (0, 1)}. Let us 
denote, by p'- the value Run (first (p) , 7r Cnt ( p ) [1 : j]j for all m > 1. We further denote 
by p' the run of null length (£' , i/ ). Let us show that, for all < j < k, p'j ^ _L, by 
induction on j. 

The base case is j = and is trivial since (£q, vq) = (t' , i/ ). For the inductive 
case, we assume that p' m _ 1 ^ L (for some m > 1) and ends in ((?, r),2/), and we 
show that we can extend it by firing (t' m , e' m ) (i.e., that p' m ^ _L). Observe that, by 
definition of Cnt, the edge e' m occurs in 7Tc nt ( p ) because it was already present in 7r (say, 
at position a, hence e a = e' m and (I, r) = £ a -i)- Moreover, still by definition of Cnt, 
the delay t' m is equal to t a + J2i=i *p(i)> wnere for all 1 < i < fl: src (e p (j)) = {£, r). 
We consider three cases: 

1 . Either r(x) — = . In this case, since p and p' m _ 1 are region consistent (Lemma|3]l, 
and since the region r(x) is = (and not + ), we know that v a -x{x) — (x is 
null when entering (I, r) at position a — 1 in p), that v{x) = (x is null at the end 
of p' m _i), and that v a -i(x) +t a x Rates(Z, r)(x) = t a x Rates(Z, r)(x) =0(x 
is null when leaving (I, r) at position a — 1 in p). This means, in particular that 
it is sufficient for x to be null to satisfy the guard of e' m = e a . Moreover, for all 
1 < i < P'- v p ^_i^{x) = = t p (i) x Rates(Z, r)(x) (x is null when entering and 
leaving the locations at all positions p(i) that have yielded the contraction in p). 
Thus, the value that x takes after letting t' m t.u. elapse the last state or p' m _ 1 is 

v'(x) = v(x)+t' m x Rates(Z, r)(x) — (t a + J2i=i *p(*)) x Rates(Z, = 0. 
Hence v'(x) satisfies the guard of e' m , and we can extend p' rn _ 1 by (t' m , e' m ). 

2. Or r(x) = + . In this case, we know that i/ a -i(x) — v(x) = 0, that t a x 
Rates(Z, r)(x) > 0, and that for all 1 < i < /3: v p (i-i){x) = and t p n\ x 
Rates(Z, r)(x) > 0. Moreover, since duration (p) < , we can precise 
this information and conclude that t a x Rates (£, r)(x) G (0, 1) and that for all 
1 < i < 0' tpM x Rates(l, r)(x) G (0, 1). Thus, it is sufficient, to satisfy the 
constraints on x in the guard of e' m , that x G (0, 1). Let us show that v'(x) — 
{ta + J2i=i tp{i)) x Rates(£, r)(x) is in (0, 1) too. We have v'(x) > because 
t a x Rates (I, r)(x) > 0, as shown above. Moreover, v'{x) < 1 because t a + 
YLi=i tp(i) — duration (p) < ^ , by def. of type-2 runs. Thus, v'(x) satisfies 
the guard of e' m and we can extend p' m _x by (t' m , e' m ). 

3. Or r(x) = (0, 1). In this case, we can rely on the same arguments as above to 
show that v'(x) > 0, and that v'(x) should be in (0, 1) to satisfy the guard of 
e' m . The difference with the previous case is that v{x) ^ here, and we have 
to make sure that the additional delay accumulated on {£, r) by the contraction 
operator does not increase x above 1. This property holds because of the split 
of type-2 runs in type-3 runs, according to the first reset of each variable. More 
precisely, we consider two cases. Either £ Q _i occurs, in p in a type-3 run that 
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takes place after the first reset of x. In this case, v' (x) = v(x) (t a +^f =1 t p u> ) x 
Rates(I, r)(x) < 1, because all the t p u\ also occur ir[a : n] (i.e., after the 
first reset of x), and duration (n[a : n]) < . Or £ a -i occurs, in p in a 
type-3 run that takes place before the first reset of x. In this case, v'(x) — 
v{x){t a + 2~2i=i tpU)) x Rates(Z, r)(x) > 1 implies that, in p: v p u\ > 1, which 
contradicts the definition of type-2 runs. Hence, v'(x) € (0,1) and we can 
extend p' m _ x by (C> e m)- 

Let us conclude the proof by showing that v' k = v n . We consider three cases. First, 
x is a variable that is not reset along p. Since Effect (Cnt* (it)) (x) = Effect (it) (x) 
(Lemma [§}, and since i/q = v' , we conclude that vt{x) = v n (x). Second, a; is a 
variable that is reset along p. Since the duration of a type-2 is at most 1 , v n {x) £ 
[0, 1). Thus, we consider two further cases. Either v n {x) = 0. Since p is region- 
consistent (Lemma O, l n is of the form (£,r) with r(x) G {0 + ,0 = }. However, 
£n = £'& and since Cnt (p) is a run and hence region-consistent, we conclude that 
v' k (x) — too. Or v n (x) G (0,1). In this case, it is easy to observe that v n (x) 
depends only on the portion of p that occurs after the last reset of x, i.e., v n (x) = 
Effect (ir[i + 1 : n]) (x), where i is the largest position in p s.t. resets x. By def- 
inition of the contraction operator on type 2 runs, ei occurs at some position a of 
Kcntip), i- e - Si = e' a and e' a is the last edge of 7Tc n t(p) t° reset x. Thus, v' k (x) — 
Effect (7Tcnt(p)[a! + 1 : fc]) (x). However, by Lemma[8] and by definition of the con- 
traction of type 2 runs: Effect (7r Cnt ( p )[a: + 1 : k]j (x) = Effect (ir{i + 1 : n]) (x). 
Hence, v n (x) = v' k (x). □ 

Then, observe that, by the above definition, and by Lemma [7] we can bound the 
length of Cnt (p) for type-2 runs p: 

Lemma 9 For all type-2 runs: |Cnt(p)| < 8 x |Loc| 2 x \X\. 

Proof. By definition of type-2 runs, and by Lemma [7] |Cnt(p) | is at most (2 x 
\X\ + 1) x (|Loc| 2 + 1) + 2 x \X\ = 2 x (\X\ + 1) x (|Loc| 2 + 1). However, wlog, 
Loc > 1 and \X\ > 1. Hence \X\ + 1 < 2 x \X\, |Loc| 2 + 1 < 2 x |Loc| 2 . Hence 
the lemma. □ 

We can now explain more intuitively why we need two different regions (0 = and 
+ ) for variables that are null, and cannot use [0,0] instead. Consider the example 
given in Fig. [3] Run p\ depicts a run of an automaton with a single variable x, where 
we have used only region [0, 0] in the construction of R {%'). In this run, x is null in 
all four states. The two locations of R (%') that are met are (£i, [0, 0]) and (£2, [0, 0]) 
(and in both locations, the rate of x is strictly positive). Hence, the contraction operator 
'merges' the two occurrences of both locations, an produces pi- However, P2 fails to 
satisfy PropositionQ] as x is null in the last state of p\ but not in the last state of p^- This 
comes from the fact that region [0, 0] does not allow to distinguish between locations 
that are left with a strictly positive delay or a null delay. With our definition of R {%'), 
however, the first state of the run is \{£\, = ), OJ, as x is null when crossing the first 
edge, but the third state is {(£1, + ), 0), as x is not null when crossing the last edge, 
which avoids the problem illustrated in Fig. [3] 

Thus, summing up the properties of the contraction operator, and the splitting pro- 
cedure we obtain, as a corollary of Proposition[T]and Lemma|6] 

Corollary 1 Let s and s' be two states of R {%')■ Then, R {%') admits a T-time- 
bounded type-0 run p with first (p) = s and last (p) = s' iff it admits a T-time bounded 
type-0 run p' with first (p r ) = s, last (p') = s' and \p'\ < 48 x T x rmax x |Loc'| 2 x 
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With our definition, this location would be _ ). . . ... and this location would be (£i, 0+) 

x > i > 

Before contraction: pi = [0, 0]), 0) - ■ ((4, [0, 0]), 0) — — > ((4, [0, 0]), 0) * 2 ^° ■ ((£ 2 , [0, 0]), 0) 

When we cross this edge, x is f 

null. When we cross this edge, x is not null. 

x > 

/ , . r „ _ N h + t 2 > . . We reach a state where x is not 

After contraction: p 2 = ((4, [0, 0]), 0) . > [0, 0]), *x + t 2 ) * - - - ^ anymore , 

When we cross this edge, x is not null. 



Figure 3: An example that shows why the contraction operator fails if we use [0, 0] to characterise the variables that are null. 



\X\ 2 , where X, Loc' and rmax are resp. the set of variable, set of locations and 
maximal rate of R {%')■ 

Finally, for all SHA-° H = (X, Loc, Edges, Rates, Inv, Init) and all time bound 
T G N, we let: 

F(H,T) = 

24 x (T x rmax+ 1) x \X\ 2 x |Loc| 2 x (2 x cmax + l) 2x l x l 

This value F(H,T) is actually a bound on the length of the runs we need to con- 
sider to decide T-time-bounded reachability: 

Theorem 1 Let T-Lbe a SHA-°, T be a time bound and let s% and S2 be two states of 
%. Then % admits a T-time-bounded run p with first (p) = S\ and last (p) = 82 iff it 
admits a T-time-bounded run p' with \p'\ < F{'H^T), first (p') = S\ and last (p') = 

Proof. The direction is trivial, let us prove the only if by proving the contraposi- 
tion, i.e., that if H admits no T-time-bounded run of length at most F(H, T) from Si to 
S2, then it admits no T-time-bounded run from s\ to S2- By Lemma[TJ if H admits no 
T-time bounded run of length at most F(H, T) from s% = (£1, v\) to S2 = (£2, ^2), 
then, H' admits no T-time-bounded run of length at most F(H,T) from si to s 2 - 
Then, by Lemma|2l then, for all pair of regions r\,r2- R {H) admits no type-0 T-time- 
bounded run of length at most F(H, T) from s[ = ri), v\) to s' 2 = ((£2, ^2), v 2 ). 
By Corollary[TJ and by (O, R (%) admits no type-0 T-time-bounded run from s[ to s' 2 , 
regardless of the length of the run. Hence, by Lemma|2l %' admits no T-time-bounded 
run p from s\ to S2, and neither does H, by LemmaQ] again. □ 
Remark that F(H, T) = O (T x 2^1), where \W.\ is the number of bits necessary to 
encode H, using standard encoding techniques and binary encoding for the constants. 
Hence, TheoremQ] tells us that, to decide T-time-bounded reachability, we only need 
to consider runs whose length is singly exponential in the size of the instance (H,T). 

Let us now briefly explain how we can adapt the previous construction to cope 
with non-singular rates. Let us first notice that given H a RHA-°, the construction of 
R (H') still makes perfect sense and still satisfies Lemma[3] Then, we need to adapt the 
definition of timed path. A timed path is now of the form (ti, Ri, e\) ■ ■ ■ (t n , R n , e„), 
where each Ri : X i-> M gives the actual rate that was chosen for each variable at 
the i-th continuous step. It is then straightforward to extend the definitions of Cnt, 
Effect and Contraction to take those rates into account and still keep the properties 
needed to prove Theorem Q] More precisely, the contraction of a set of transitions 
(fi, Ri, ei), . . . , (t n , R n , e„) yields a transition (t, R, e) with t = *» an d> = 

z~2 i=1 t t xR, jyj j- e tnat we nee( j to re jy on tne convexity of the invariants and rates in an 
RHA to ensure that this construction is correct. Thus, we can extend Theorem[T]to the 
case of RHA with positive rates (RHA- ): 

Corollary 2 Let % be a RHA- a , T be a time bound and let si and S2 be two states of 
%. Then % admits a T-time-bounded run p with first (p) = S\ and last (p) = S2 iff it 
admits a T-time-bounded run p' with |p'| < F{'H^T), first (p') = s\ and last (p') = 

S2- 
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4 Time-bounded reachability is NEXPTIME-c 



In this section, we establish the exact computational complexity of the time-bounded 
reachability problem for RHA-°. 

Theorem 2 The time-bounded reachability problem for RHA-° is complete for NEx- 
pTime. 

To prove this theorem, we exhibit an NexpTime algorithm for time-bounded reach- 
ability and we reduce this problem from the reachability problem of exponential time 
Turing machine. 

An NexpTime algorithm Recall that an instance of the time-bounded reachability 
problem is of the form (H, £, T), where H is an RHA-°, £ is a location, and T is a 
time bound (expressed in binary). We establish membership to NexpTime by giving 
a non-deterministic algorithm that runs in exponential time in the size of (H, £, T) in 
the worst case. The algorithm first guesses a sequence of edges £ = e$ei . . . e n of H 
s.t. n + 1 < F(H, T) and trg (e„) = I. Then the algorithm builds from £ a linear 
constraint $(£) , that expresses all the properties that must be satisfied by a run that 
follows the sequence of edges in £ (see [13] for a detailed explanation on how to build 
such a constraint). This constraint uses n + 1 copies of the variables in X and n + 1 
variables ti to model the time elapsing between two consecutive edges, and imposes 
that the valuations of the variables along the run are consistent with the rates, guards 
and resets of TL Finally, the algorithm checks whether $(£) is satisfiable and returns 
'yes' iff it is the case. 

The number of computation steps necessary to build $(£ ) is, in the worst case, 
exponential in \H\ and T. Moreover, checking satisfiability of can be done in 
polynomial time (in the size of the constraint) using classical algorithms to solve linear 
programs. Clearly this procedure is an NExpTime algorithm for solving the time- 
bounded reachability problem for RHA-°. 

NEXPTlME-hardness To establish the NExpTlME-hardness, we show how to reduce 
the membership problem for non-deterministic exponential time Turing machines to 
time-bounded reachability for SHA-°. 

A non-deterministic exponential time Turing machine (NExpTM) is a tuple M — 
(Q,'S,T,1l,qo,S,F,^) where Q is the (nonempty and finite) set of control states, £ is 
the (finite) input alphabet, r D £ is the (finite) alphabet of the tape, ft G T is the blank 
symbol, qo G Q is the initial control state, S C Q xT xT x {L, R} x Q is the transition 
relation, F C Q is the set of accepting states, and £ = O (2^™)) (for some polynomial 
p), is an exponential function that bounds the execution time of the machine on input 
w by 

As usual, a state of M is a triple (q,wx, W2) where q £ Q is a control state, w\ G T* 
a word that represents the content of the tape on the left of the reading head (this word 
is empty when the head is on the leftmost cell of the tape), and W2 G T* is the content 
of the tape on the right of the reading head excluding the sequence of blank symbols 
(jt) at the end of the tape, (in particular the first letter in W2 is the content of the cell 
below the reading head). 

A transition of the Turing machine is a tuple of the form (qi , 71 , 
l2,D, 92) with the usual semantics: it is enabled iff the current control state is qx, 
the content of the cell below the reading head is equal to 71, and the head should not 
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be above the left most cell when D = L. The execution of the transition modifies the 
content of the tape below the reading head to -f 2 , moves the reading head one cell to 
the right if D = R, or one cell to the left if D = L, and finally, changes the control 
state to q 2 . We write (q, wi,w 2 )> (<?', w[, w' 2 ) if there exists a transition in 5 from state 
(q, u>i,W2) to state (q 1 , w[, w 2 ). 

An (exponentially bounded) execution of M on input w is a finite sequence of 
states cqCi . . . c n such that: (i) n < £(\w\) (the execution is exponentially bounded); 
(m) c = (qo,e,w ■ jj£(M)~M), (the initial control state is q and the tape contains 
w followed by the adequate number of blank symbols); and (Hi) for all < i < n 
Ci > Cj+i, (the transition relation is enforced). The execution is accepting iff c n = 
(q,wi,w 2 ) with q G F. W.l.o.g., we make the assumption that £ = {0, 1}, T = 
{0, 1, j}}, and transitions only write letters in E. This ensures that in all reachable states 
(q, wi, w 2 ) we have that wi,W2 £ {0, 1}*. 

The membership problem for an NExpTM M and a word w asks whether there 
exists an accepting execution of the Turing Machine M that uses at most steps. 

Let us show how we can encode all executions of M into the executions of an 
SHA-° Hm- We encode the words wi and w 2 as pairs of rational values (h,ci) 
and (l 2 , c 2 ) where k = j^-j encodes the length of the word Wi by a rational number 
in [0, 1], and c, encodes Wi as follows. Assume w\ = a^G\ . . . a n . Then, we let 
ci = Val^(u>i) = a n ■ 5 + c„_i • \ + ■ ■ ■ + 00 • t^tt- Intuitively, c\ is the value 
which is represented in binary by 0.er„cr„_i • • • <r , i.e., wi is the binary encoding of 
the fractional part of c\ where the most significant bit in the rightmost position. For 
instance, if w x = 001010 then Val^(wi) = 0- i + l- i+ 0- | + l- ^ + 0- 
M + ^ ' M = 0.3125, and so wi is encoded as the pair (^,0.3125). Remark that 
we need to remember the actual length of the word wi because the function Val^(-) 
ignores the leading 0's (for instance, Val^(001010) = Val^lOlO)). Symmetrically, 

if w 2 = <To<7i ■ ■ ■ cr n , we let c 2 = Val^(w 2 ) = a ■ \ + cfi ■ \ H h cr„ • ^rpr (i.e., 

(To is now the most significant bit). Then, a state (q, w\, w 2 ) of the TM is encoded as 
follows: the control state q is remembered in the locations of the automaton, and the 
words wi, w 2 are stored, using the encoding described above using four variables to 
store the values (h,ci) and (l 2 , c 2 ). 

With this encoding in mind, let us list the operations that we must be able to per- 
form to simulate the transitions of the TM. Assume w\ = Wqw\ •••w\ and w 2 = 
Wqw\ ■ ■ ■ w\. We first describe the operations that are necessary to read the tape: 

• Read the letter under the head. Following our encoding, we need to test the value 
of the bit tog. Clearly, w% = 1 iff l 2 < 1/2, and c 2 > §; u>l = iff l 2 < 1 /2, 
and c 2 < 5 and Wq = ft iff l 2 = 1 (which corresponds to w 2 = e). 

• Test whether the head is in the leftmost cell of the tape. This happens if and only 
if w\ = e, and so if and only if Zi = 1. 

• Read the letter at the left of the head (assuming that wi ^ e). Following our 
encoding, this amounts to testing the value of the bit w^. Clearly, w\ = 1 iff 
Ci > I and = iff c\ < \. 

Then, let us describe the operations that are necessary to update the values on the tape. 
Clearly, they can be carried out by appending and removing or l's to the right of w\ or 
to the left of w 2 . Let us describe how we update c\ and l\ to simulate these operations 
on w\ (the operations on w 2 can be deduced from this description). We denote by c[ 
(resp. l[) the value of c\ after the simulation of the TM transition. 
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• To append a 1 to the right of w\, we let V x = ~ X l\. We let c[ — | if l\ — 1 (i.e. 
wi was empty) and d-y = | X Ci + i. 

• To append a to the right of W\, we let l[ = i X l\ and = | X c\. 

• To delete a from the rightmost position of w\, we = 2 X ?i, = 2 X ci. 

• To delete a 1 from the rightmost position of w\, l[ = 2x/i,andc' 1 = (c\ — |)x2. 

In addition, remark that we can flip the leftmost bit of W2 by adding or subtracting 1/2 
from C2 (this is necessary when updating the value under the head). 

Thus, the operations that we need to be able to perform on c\, h, C2 and I2 are: to 
multiply by 2, divide by 2, increase by | and decrease by |, while keeping untouched 
the value of all the other variables. Fig. [4] exhibits four gadgets to perform these op- 
erations. Remark that these gadgets can be constructed in polynomial time, execute in 
exactly 1 time unit time and that all the rates in the gadgets are singular. 

We claim that all transitions of M can be simulated by combining the gadgets in 
Fig. |4] and the tests described above. As an example, consider the transition: 
(q%, 1, 0, L, (72)- It is simulated in our encoding as follows. First, we check that the 
reading head is not at the leftmost position of the tape by checking that l\ < 1. Sec- 
ond, we check that the value below the reading head is equal to 1 by testing that I2 < 1 
and C2 > \. Third, we change the value below the reading head from 1 to by subtract- 
ing I from C2 using an instance of gadget (ii) in Fig. |4] And finally, we move the head 
one cell to the left. This is performed by testing the bit on the left of the head, deleting 
it from wi and appending it to the left of W2, by the operations described above. All 
other transitions can be simulated similarly. Remark that, to simulate one TM transi- 
tion, we need to perform several tests (that carry out in t.u.) and to: (i) update the bit 
under the reading head, which takes 1 t.u. with our gadgets; (ii) remove one bit from 
the right of w± (resp. left of W2), which takes at most 3 t.u. and (Hi) append this bit 
to the left of W2 (right of w\), which takes at most 3 t.u. We conclude that each TM 
transition can be simulate in at most 7 time units. 

Thus M has an accepting execution on word w (of length at most iff Hm 

has an execution of duration at most T = 7 • that reaches a location encoding 

an accepting control state of M. This sets the reduction. 

5 Computing fixpoints 

In this section, we show that Corollary [2] implies that we can effectively compute the 
set of states that are reachable within T time units in an RHA with non-negative rates 
(using formulas of the first-order logic (M, 0, 1, +, <) over the reals as a symbolic 
representation for such sets). We demonstrate, by means of two examples, that this 
information can be useful in practice, in particular when the regular (not time-bounded) 
fixed points do not terminate. 

Post and Pre Let s be state of an RHA with set of edges Edges. Then, we let 
Post(s){s' I 3e G Edges, t el+:s^ s'} and Pre(s){s' | 3e G Edges, t G K+ : 
s' ^ s}. We further let Reach- T (s) = {s' \ 3tt : s A s' A duration (tt) < T}, and 
coReach- T (s) = {s' | 3n : s' s A duration (tt) < T} be respectively the set of 
states that are reachable from s (that can reach s) within T time units. We extend all 
those operators to sets of states in the obvious way. 
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Figure 4: Gadgets (i) for multiplication by 2, (it) adding | and (ui) subtracting i. The rates of the y £ {x, z} is 0. Gadget (i) can be modified to 
divide by 2, by swapping the rates of x and z in the second location. x is the value of x when entering the gadget. 



Region algebra To symbolically manipulate sets of states, it is well known that we 
can use formulas of (K, 0, 1, +, <), i.e. the first-order logic of the reals, with the con- 
stants and 1, the usual order < and addition + (see |QT| for the details). Recall 
that the satisfiability problem for that logic is decidable [4| and that it admits effective 
quantifier elimination. Further remark that, in a RHA, all guards can be characterised 
by a formula of (R, 0, 1, +, <) ranging over X. Let * be a formula of (R, 0, 1, +, <), 
and let v be a valuation of the free variables of Then, we write v |= "J iff v satisfies 
'L, and we let [vp] be the set off all valuations v s.t. v |= , 3>. To emphasise the fact that 
a formula '5 ranges over the set of variables X, we sometimes denote it by ty^X), 

Based on (R, 0, 1,+, <), we can defined a so-called algebra of regions ifTTIl to 
effectively represent sets of states. The region^ in that algebra can be seen as functions 
R from the set of locations Loc to quantifier free formula of (R, 0, 1, +, <) with free 
variables in X, representing sets of valuations for the variables of the RHA. More 
precisely, any region R represents the set of states [i?] = {{£., v) \ v € As 
(R, 0, 1, +, <) is closed under all Boolean operations, so is the region algebra. Since 
the logic is decidable, testing whether s 6 [i?] or whether [iJ] = are both decidable 
problems. 

In order to obtain fixpoint expressions that characterise Reach- T (s) and 
coReach- T (s) using the region algebra, we introduce post** and pre" operators ranging 
over regions. Let R be a region. We let post'(-R), be the region s.t. for all £ G Loc, 
post ti (i?)(£) is obtained by eliminating quantifiers in ^f(X) V ^\{X), where 9f(X) 
characterises all the successors of R(£) by an edge with source I, and ^>\(X) repre- 
sents all the successors of R(£) by a flow transition in £ (time elapsing). The following 
equations define and both ranging on the set of free variables X: 



V ^ 

eGEdgcs 



3X' 



*J = 3* : 3X' 



R(t)(X>)Ag(X>) 

A Axex\Y x = x> A AxeY x = 
A lnv(£)(X') Alnv(f )(X) 

t>0AR{£)(X') \ 



A hxv{£)(X) Alny(£){X') 
A /\xex x' + t- min(Rates(£, a;)) < x 
V A Axex x < x' + t ■ max(Rates(^, x)) J 



Symmetrically, we let pre"(i?) be the region s.t. for all £ £ Loc, post" (R) (£) is 
obtained by eliminating quantifiers in &f(X) V Q\(X), where &f(X) represents all 
the predecessors of R(£) by an edge whose target is £, and &\{X) represents all the 



2 The notion of region used in this section differs from the notion of region given by Reg (cmax, X) and 
used to define R (W). Notice however that any region from R (H') can be expressed via a quantifier free 
formula of (K, 0,1,+, <) with free variables in X. The converse is obviously not true. 
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predecessors of R(£) by a flow transition in I: 



*f= V 



eGEdgcs 



^M) = 3X , 



3t : 3X' 



R(f)(X')Ag(X) 
A /\ x ex\Y x = x' A f\ xeY x ' = ( 
A Inv(£)(X) Alnv(f ){X') 

I t>0AR(£)(X / ) 

A lixv(e)(X) Alnv(£)(X') 

A /\xex X + t- min(Rates(£, a;)) < x' 

\ A x' < x + t ■ max(Rates(£, x)) 



To keep the above definitions compact, we have implicitly assumed that the rates 
are given as closed rectangles. The definitions of <£>^ and \t! can be adapted to cope 
with intervals that are left (respectively right) open by substituting < (>) for < (>). 

In practice formulas in (R, 0,1,+, <) can be represented and manipulated as finite 
union of convex polyhedra for which there exist efficient implementations, see Q for 
example. Those techniques have been implemented in HyTech |8| and PhaVer [6]. 
Unfortunately, termination of the symbolic model-checking algorithms is not ensured 
for linear hybrid automata. While in the literature, it is known that forward reachability 
and backward reachability fixpoint algorithms terminate for initialised rectangular hy- 
brid automata iflOl . we show here that termination is also guaranteed for time-bounded 
fixpoint formulas over the class of RHA-° (that are not necessarily initialised). 



Time-bounded forward and backward fixpoints Let H be an RHA- with set of 
variables X, and let T G N be a time bound. Let us augment H with a fresh variable t 
to measure time (hence the rate of t is 1 in all locations, and t is never reset). Let R be 
region over the variables X. Then, it is easy to see that the following fixpoint equations 
characterise respectively Reach- T ([i?]) and coReach- T ([i?]): 

Reach^ T ([i?]) = [iY ■ (([R(X)] U Post(F)) n [0 < t < T]) (4) 
coReach^ T ([i?]) = [iY ■ (([R(X)] U Pre(F)) n [0 < t < T]) (5) 

The next lemma ensures that these fixpoints can be effectively computed. The proof 
rely on Corollary [2] 

Lemma 10 For all RHA- U, all region R and all time bound T, the least fix points 
(0 and Q are respectively equal to the limit of Fq, F\, F%, ■ • ■ and Bq, B\, B%, . . . 
where: 

F = [R(X) A 1 < t < T] 

F t = (Post(Fj_i) n [0 < t < T]) U for all i > 

B a = IR(X) A 1 < t < T] 

Bi = Bi= (Pre(Si_i) fl [0 < t < T])UB,_i for all i > 



Furthermore, both sequences stabilize after at most F(1-L,T) iterations, and both fix- 
points can be computed in worst-case doubly exponential time. 



20 



Proof. We justify the result for the least fixpoint equation ©, the result for the least 
fixpoint equation (|5j is justified similarly. 

By induction, it is easy to prove that, for all i > 0, Fi contains all the states that are 
reachable within T time units and by at most i transitions. By Corollary. [2] we know 
that all states that reachable within T time units are reachable by a run of length at 
most F(H, T). We conclude that F 3 = F j+1 = Reach- T ([i?]) for j = F{U, T). All 
the operations for computing Fi from -Fj_i take polynomial time in the size of 
and so the size of Fi is also guaranteed to be polynomial in Fi-i, the overall doubly- 
exponential time bound follows. □ Note that by our 
NExpTlME-hardness result, this deterministic algorithm can be considered optimal 
(unless NExpTime=ExpTime.) Let us now consider two examples to demonstrate 
that this approach can be applied in practice. 



< x < 1 



x > 



x = 




Figure 5: A stopwatch automaton for the leaking gas burner (top) and an SHA with 
bounded invariants (bottom). 



Example 1: Leaking gas burner We present an example of a system where the clas- 
sical fixpoint computation for reachability analysis does not terminate, while the time- 
bounded analysis does terminate. Consider the example of a leaking gas burner [1]. 
The gas burner can be either leaking or not leaking. Leakages are repaired within 
1 second, and no leakage can happen in the next 30 seconds after a repair. In Fig. [5] 
(top), an automaton with two locations and the clock a; is a model of the gas burner. 
In order to measure the leakage time and the total elapsed time, the stopwatch t and 
clock y are used as monitors of the system. It was shown using backward reachability 
analysis that in any time interval of at least 60 seconds, the time of leakage is at most 
one twentieth of the elapsed time |8|. The fixpoint is computed after 7 iterations of the 
backward reachability algorithm. However, the forward reachability analysis does not 
terminate. 

Using forward time-bounded reachability analysis we can prove the property that 
in all time intervals of fixed length T > 60, the leakage time is at most In order to 
prove that this property holds in all time intervals, we perform the reachability analysis 
from all possible states of the system (i.e., from location leaking with < x < 1, and 
location notJeaking with x > 0) and starting with t = y = 0. For a fixed time bound 
T, we compute the set of reachable states satisfying y < T and check that t < ^ 
when y = T. The results of this paper guarantees that the analysis terminates. Using 
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HyTech, the property is established for T = 60 after 5 iterations of the forward time- 
bounded fixpoint algorithm. Thus for all time intervals of T = 60 seconds, the leakage 
time is at most . 

Example 2: bounded invariant In Fig. [5] (bottom), we consider a rectangular au- 
tomaton with positive rates where all variables have a bounded invariant [0,1]. In this 
example, the forward reachability analysis of HyTech does not terminate because the 
set of reachable states is not a finite union of polyhedra (see Fig.|5). On the other hand, 
the time-bounded forward fixpoint terminates by Lemma[l0] This example shows that 
it is not sufficient to bound the variables in the automaton to get termination, but it is 
necessary to bound the time horizon of the analysis. 




Figure 6: Reachable states for the automaton of Fig.|5](bottom). 
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Proof of Lemma |2] 

Proof. With each run p = (to, vo), (ii, ei), (£\, vi), . . . , 

(t n ,e n ),(£ n ,v n ) of H\ we associate a run p 1 = ((£ Q ,r Q ), v ), 
(t , e' ), ((£i,n), vi),.-., (t n , e' n ), ((£„, r n ),v n ) of R (W) (hence with duration (p) = 
duration (//)) s.t.: 

• for all < i < n, for all x G X (assuming t n+ i = 0): 



• e\ is the unique edge between (£i, r^) and (£i+i, corresponding to ej. 

We prove by (backward) induction (on n) that the run p' is a genuine run of R (%'). 
When n — 0, there is nothing to prove. Let us now assume that given p — (^0i ^o)? 
(h,ei),(£i,vi),...,(t n ,e n ), 

(£n,v n ) run of TL' , we have proved that ((ii, ri), V\), . . . , (t n , e' n ), 
((£n, r n ), v n ) is a genuine of R (TL'). To obtain the desired result, it remains to prove 
that ((^o, ^0)7 ^o)j (toi e 'o), ((£i, r i), v i) is a genuine run of R (TL'). For this, we have 
to prove that for all x E X: (i) v (x) + t x Rates(£o, r o)(x) |= lnv(£ , r ), for all 
< t < t\, (ii) vq(x) + ti x Rates (£q, ro)(x) \= g 1 (where g 1 is the guard of the 
transition e'±), and (Hi) vi(x) — (resp. v\(x) = vq(x)) if x S Y' (resp. x ^ Y') 
(where Y' is the reset of the transition e[). Let us distinguish three cases: 

1. Case 1: r(x) = + . In this case, by construction of p 1 , we know that v$(x) = 0, 
1 1 > and x ^ 0. In particular, we have that vq (x) + 1 1 x Rates(€o , ''o ) (x) > 0. 
By construction of R (%'), we know that g' (x) = g(x) Ar"(x) A (x > 0), where 




0+ if Vi(x) = and (t i+1 > and x ^ 0) 
= if vi(x) — and (U + i — or x = 0) 
otherwise 



23 



g(x) (resp. g'{x)) represents the constraints^ on x in the guard of the transition 
ei (resp. e[), and r <^ atcs ^°' r °) r " Moreover we have that Inv(^o, r o)(x) — 
Iuv(£q)(x). Since p is a genuine run of TL' , we clearly have that (i) and (Hi) are 
satisfied. Point ( ii) follows from the facts that p is a genuine run of H' and that 

vq{x) +ti x Rates(^o, r o)(%) > 0. 

2. Case 2: r(x) = = . In this case, by construction of p 1 , we know that vq(x) = 0, 
ti = or x = 0. In particular, we have that vq(x) + 1\ x Rates(£o, n))^) = 0. 
By construction of R (TL'), we know that g' (x) = g(x) Ar"(x) A (x = 0), where 
g(x) (resp. g'(x)) represents the constraints on x in the guard of the transition 
ei (resp. e[), and r <^ atcs ^°' r °) r " Moreover we have that hxv(£o, r^)(x) — 
lnv(£o)(x) A (x = 0). Since p is a genuine run of %', we clearly have that (Hi) 
is satisfied. Points ( i) and ( ii) follow from the facts that p is a genuine run of TL' 
and that vq(x) +tx Rates(^o, r o)(%) — 0, for all < t < t\. 

3. Case 3: r(x) ^ {0 = , + }. This case is simpler than the two previous ones. The 
three points (i), (ii) and (Hi) follow from the facts that p is a genuine run of TL'. 

Then, with each run p' = ((£ 0i r ), vq), (to, e' ), ((ii, n), vi), . . . , 
(t n ,e' n ),((£ n ,r n ),v n ) of R (H 1 ) we associate the run p = (£q,vo), 
(ii, ei), (£i, vi), . . . , (t„, e n ), (£ n , v n ) where, for all 1 < i < n, ei is the unique edge 
of T-L' that corresponds to e\. Since the guards and invariant of R (TL 1 ) are more con- 
straining than those of H', the fact that p 1 is a genuine run of R (TL 1 ) implies that p is a 
genuine run of H'. □ 

Proof of Lemma |3] 

Proof. Let us first prove that, for all < i < n: Vi € r^. The proof is by induction 
on i. For i = 0, the property holds by definition of R (TL') and because ((^o, ^0)7 v o) is 
an initial state. Assume vi G r,; for some i > 0, and let us show that Vi+\ G rj+i. Let 
5 and Y denote respectively the guard and the reset set of ej+i. Let v 1 = vi + ti + i x 
Rates(^i) be the valuation of the variables when crossing ej+i. By construction, we 
know that there is a region r" which is a conjunct of g (hence v' G r") s.t. for all 
x ^ Y: r"(x) — ri + i(x). Thus, for all x G" Y: v'(x) — Vi + i(x) G ri + i(x). 
Moreover, still by construction, for all x G Y: ri + i(x) G {0 = ,0 + }. Hence, for all 
x G Y: Ui + i(x) = G r^+i too. 

To conclude, the two last points of the lemma follow immediately from the con- 
struction of R (TL'), as for all edge e and all variable x s.t. src (e) = (£, r) and 
r(x) = = (resp. r(x) = + ), the constraint x = (x > 0) appears as a conjunct of 
e's guard. □ 



3 Notice that it makes sense to decouple guard according to variables since there are no diagonal con- 
straints. 
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